* [PATCH v2] migration: validate page_size in mapped-ram header before use
@ 2026-04-05 9:44 Trieu Huynh
2026-04-06 13:53 ` Fabiano Rosas
2026-04-14 19:27 ` Peter Xu
0 siblings, 2 replies; 3+ messages in thread
From: Trieu Huynh @ 2026-04-05 9:44 UTC (permalink / raw)
To: qemu-devel; +Cc: peterx, Trieu Huynh, Fabiano Rosas
From: Trieu Huynh <vikingtc4@gmail.com>
mapped_ram_read_header() reads page_size from the migration stream and
stores it in MappedRamHeader, but does not validate that the value is
non-zero before it is later used in parse_ramblock_mapped_ram():
num_pages = length / header.page_size;
If a corrupted or malformed migration stream provides invalid, guest
resumes either with corrupted memory or crashes unexpectedly (eg.
page_size = 0)
Add validation in mapped_ram_read_header() to reject invalid page_size
values early and return an error instead of continuing with an invalid
header.
Steps to reproduce:
Create a migration snapshot with mapped-ram enabled:
(qemu) migrate_set_capability mapped-ram on
(qemu) migrate file:/tmp/qemu-snapshots/snapshot.bin
Modify the snapshot so that MappedRamHeader.page_size becomes diff with
target psize. (0/512/8192/1GB).
Restore the snapshot:
(qemu) migrate_set_capability mapped-ram on
(qemu) migrate_incoming file:/tmp/qemu-snapshots/snapshot.bin
As-is:
* [0]: Floating point exception (core dumped)
* [512/8192]: Silent corruption
* [1GB]: "post load hook failed for: kvm-tpr-opt" (EPERM)
To-be:
* All: qemu-system-x86_64: Migration mapped-ram header has invalid
page_size [val] (expected 4096)
Signed-off-by: Trieu Huynh <vikingtc4@gmail.com>
---
v2:
- Replace == 0 check with != TARGET_PAGE_SIZE, which also catches
non-zero wrong values and matches the actual invariant of the
mapped-ram feature (suggested by Peter Xu)
- Include actual and expected values in the error message
migration/ram.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/migration/ram.c b/migration/ram.c
index 979751f61b..2046f16caa 100644
--- a/migration/ram.c
+++ b/migration/ram.c
@@ -3088,6 +3088,12 @@ static bool mapped_ram_read_header(QEMUFile *file, MappedRamHeader *header,
}
header->page_size = be64_to_cpu(header->page_size);
+ if (header->page_size != TARGET_PAGE_SIZE) {
+ error_setg(errp, "Migration mapped-ram header has invalid "
+ "page_size %" PRIu64 " (expected %d)",
+ header->page_size, TARGET_PAGE_SIZE);
+ return false;
+ }
header->bitmap_offset = be64_to_cpu(header->bitmap_offset);
header->pages_offset = be64_to_cpu(header->pages_offset);
--
2.43.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v2] migration: validate page_size in mapped-ram header before use
2026-04-05 9:44 [PATCH v2] migration: validate page_size in mapped-ram header before use Trieu Huynh
@ 2026-04-06 13:53 ` Fabiano Rosas
2026-04-14 19:27 ` Peter Xu
1 sibling, 0 replies; 3+ messages in thread
From: Fabiano Rosas @ 2026-04-06 13:53 UTC (permalink / raw)
To: Trieu Huynh, qemu-devel; +Cc: peterx, Trieu Huynh
Trieu Huynh <vikingtc4@gmail.com> writes:
> From: Trieu Huynh <vikingtc4@gmail.com>
>
> mapped_ram_read_header() reads page_size from the migration stream and
> stores it in MappedRamHeader, but does not validate that the value is
> non-zero before it is later used in parse_ramblock_mapped_ram():
>
> num_pages = length / header.page_size;
>
> If a corrupted or malformed migration stream provides invalid, guest
> resumes either with corrupted memory or crashes unexpectedly (eg.
> page_size = 0)
>
> Add validation in mapped_ram_read_header() to reject invalid page_size
> values early and return an error instead of continuing with an invalid
> header.
>
> Steps to reproduce:
>
> Create a migration snapshot with mapped-ram enabled:
> (qemu) migrate_set_capability mapped-ram on
> (qemu) migrate file:/tmp/qemu-snapshots/snapshot.bin
> Modify the snapshot so that MappedRamHeader.page_size becomes diff with
> target psize. (0/512/8192/1GB).
> Restore the snapshot:
> (qemu) migrate_set_capability mapped-ram on
> (qemu) migrate_incoming file:/tmp/qemu-snapshots/snapshot.bin
>
> As-is:
> * [0]: Floating point exception (core dumped)
> * [512/8192]: Silent corruption
> * [1GB]: "post load hook failed for: kvm-tpr-opt" (EPERM)
> To-be:
> * All: qemu-system-x86_64: Migration mapped-ram header has invalid
> page_size [val] (expected 4096)
>
> Signed-off-by: Trieu Huynh <vikingtc4@gmail.com>
> ---
> v2:
> - Replace == 0 check with != TARGET_PAGE_SIZE, which also catches
> non-zero wrong values and matches the actual invariant of the
> mapped-ram feature (suggested by Peter Xu)
> - Include actual and expected values in the error message
>
> migration/ram.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/migration/ram.c b/migration/ram.c
> index 979751f61b..2046f16caa 100644
> --- a/migration/ram.c
> +++ b/migration/ram.c
> @@ -3088,6 +3088,12 @@ static bool mapped_ram_read_header(QEMUFile *file, MappedRamHeader *header,
> }
>
> header->page_size = be64_to_cpu(header->page_size);
> + if (header->page_size != TARGET_PAGE_SIZE) {
> + error_setg(errp, "Migration mapped-ram header has invalid "
> + "page_size %" PRIu64 " (expected %d)",
> + header->page_size, TARGET_PAGE_SIZE);
> + return false;
> + }
> header->bitmap_offset = be64_to_cpu(header->bitmap_offset);
> header->pages_offset = be64_to_cpu(header->pages_offset);
Reviewed-by: Fabiano Rosas <farosas@suse.de>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v2] migration: validate page_size in mapped-ram header before use
2026-04-05 9:44 [PATCH v2] migration: validate page_size in mapped-ram header before use Trieu Huynh
2026-04-06 13:53 ` Fabiano Rosas
@ 2026-04-14 19:27 ` Peter Xu
1 sibling, 0 replies; 3+ messages in thread
From: Peter Xu @ 2026-04-14 19:27 UTC (permalink / raw)
To: Trieu Huynh; +Cc: qemu-devel, Fabiano Rosas
On Sun, Apr 05, 2026 at 04:44:47PM +0700, Trieu Huynh wrote:
> From: Trieu Huynh <vikingtc4@gmail.com>
>
> mapped_ram_read_header() reads page_size from the migration stream and
> stores it in MappedRamHeader, but does not validate that the value is
> non-zero before it is later used in parse_ramblock_mapped_ram():
>
> num_pages = length / header.page_size;
>
> If a corrupted or malformed migration stream provides invalid, guest
> resumes either with corrupted memory or crashes unexpectedly (eg.
> page_size = 0)
>
> Add validation in mapped_ram_read_header() to reject invalid page_size
> values early and return an error instead of continuing with an invalid
> header.
>
> Steps to reproduce:
>
> Create a migration snapshot with mapped-ram enabled:
> (qemu) migrate_set_capability mapped-ram on
> (qemu) migrate file:/tmp/qemu-snapshots/snapshot.bin
> Modify the snapshot so that MappedRamHeader.page_size becomes diff with
> target psize. (0/512/8192/1GB).
> Restore the snapshot:
> (qemu) migrate_set_capability mapped-ram on
> (qemu) migrate_incoming file:/tmp/qemu-snapshots/snapshot.bin
>
> As-is:
> * [0]: Floating point exception (core dumped)
> * [512/8192]: Silent corruption
> * [1GB]: "post load hook failed for: kvm-tpr-opt" (EPERM)
> To-be:
> * All: qemu-system-x86_64: Migration mapped-ram header has invalid
> page_size [val] (expected 4096)
>
> Signed-off-by: Trieu Huynh <vikingtc4@gmail.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
--
Peter Xu
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-04-14 19:27 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-05 9:44 [PATCH v2] migration: validate page_size in mapped-ram header before use Trieu Huynh
2026-04-06 13:53 ` Fabiano Rosas
2026-04-14 19:27 ` Peter Xu
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.